For SSL compression to work, the Citrix SD-WAN WANOP appliance needs certificates from either the server or the client. To support multiple servers, multiple private keys can be installed on the appliance, one per SSL profile. Special SSL rules in the service class definitions match up servers to SSL profiles, and thus SSL profiles to private keys.

SSL compression works in split proxy or transparent proxy mode, you can choose the mode as per your requirement. For more information, see How SSL Compression Works.

Note

Transparent proxy mode is currently not supported.

To enable secure access with SSL tunnel, the latest SSL protocol TLS 1.2 is used in SSL proxy. You can choose to use TLS1.2 protocol only or use TLS1.0, TLS1.1 and TLS1.2 protocols.

Note

SSL protocols SSL v3 and SSL v2 are no longer supported.

To configure SSL compression:

Acquire copies of your server’s CA certificate and private certificate-key pair and install them on the server-side appliance. These credentials are likely to be application-specific. That is, a server might have different credentials for an Apache Web server than for an Exchange Server running RPC over HTTPS.

You can choose to create a split proxy SSL Profile or a Transparent proxy SSL profile.

Attach the SSL profile to a service class on the server-side appliance. This can be done by either creating a new service class based on the server IP, or by modifying an existing service class.

For more information see, Creating or Modifying the Service Class section below.

Set service classes on the client-side appliance. SSL traffic is not compressed unless it falls into a service class, on the client-side appliance, that enables acceleration and compression. This can be an ordinary service-class rule, not an SSL rule (only the server-side appliance needs SSL rules), but it must enable acceleration and compression. The traffic falls into an existing service class, such as “HTTPS” or “Other TCP Traffic.” If this class’s policy enables acceleration and compression, no additional configuration is needed.

Verify operation of the rule. Send traffic that should receive SSL acceleration through the appliances. On the server-side appliance, on the Monitoring: Optimization: Connections: Accelerated Connections tab, the Service Class column should match the service class you set up for secure acceleration, and the SSL Proxy column should list True for appropriate connections.

Configure transparent proxy SSL profile

You can either manually add an SSL profile or import one that is stored on your local computer.

In the Profile Name field, enter a name for the SSL profile and select Profile Enabled.

If your SSL server uses more than one virtual host name, In the Virtual Host Name field, enter the target virtual host name. This is the host name listed in the server credentials.

Note

To support multiple virtual hosts, create a separate SSL profile for each host name.

Choose Transparent proxy type.

In the SSL Server’s Private Key field, select the server’s private key from the drop-down menu, or click + to upload a new private key.

Click Create.

Create or modify the service class

To create or modify the service class and attach the SSL Profile:

In the Citrix SD-WAN WO appliance web interface, navigate to Configuration > Optimization Rules > Service Classes and click Add. To edit an existing service class, select the appropriate service class and click Edit.

In the Name field, enter a name for the new service class (for example, “Accelerated HTTPS”).

Enable compression by setting the Acceleration Policy to Disk, Memory or Flow Control.

In the Direction field, set the rule to Unidirectional. SSL profiles are disabled if Bidirectional is specified.

In the SSL Profiles section, select the SSL profile that you created and move it to the Configured section.

Click Create to create the rule.

Click Create to create the service class.

Updated CLI command

Citrix SD-WAN WO 9.3 supports the latest TLS1.2 SSL protocol. You can choose to use TLS1.2 protocol only or any version of TLS protocols. SSL protocols SSL v3 and SSL v2, and transparent proxy SSL profiles are not supported. The add ssl-profile and set ssl-profile CLI commands are updated to reflect these changes.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.